added: Clair image scanner and update dependencies

ammnt · Jun 2, 2024 · d8c8ccc · d8c8ccc
1 parent 8163c36
commit d8c8ccc
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -104,7 +104,7 @@ jobs:
           scanners: "vuln"
 
       - name: Upload Trivy report📊
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v4.3.3
         with:
           name: trivy-sbom-report
           path: "${{ github.workspace }}/dependency-results.sbom.json"
@@ -144,6 +144,16 @@ jobs:
         with:
           sarif_file: snyk.sarif
 
+      - name: Analyze image with Clair💊
+        run: |
+          docker run -d --name db arminc/clair-db
+          sleep 15
+          docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan
+          sleep 1
+          DOCKER_GATEWAY=$(docker network inspect bridge --format "{{range .IPAM.Config}}{{.Gateway}}{{end}}")
+          wget -qO clair-scanner https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64 && chmod +x clair-scanner
+          ./clair-scanner --ip="$DOCKER_GATEWAY" ghcr.io/ammnt/nginx:main || exit 0
+
       - name: Push the Docker images to registries💾
         run: |
           docker push ghcr.io/ammnt/nginx:main

diff --git a/README.md b/README.md
@@ -25,7 +25,7 @@ https://github.com/openssl/openssl
 - Added OCI labels and annotations;
 - No excess ENTRYPOINT in the image;
 - Slimmed version by Docker Slim tool;
-- Scanned by vulnerability scanners: GitHub, Docker Scout, Snyk, Anchore and Syft;
+- Scanned by vulnerability scanners: GitHub, Docker Scout, Snyk, Anchore, Clair and Syft;
 - Prioritize ChaCha cipher patch and anonymous signature - removed "Server" header ("banner"):<br>
 https://github.com/ammnt/nginx/blob/http3/Dockerfile